Unfortunately, VLC is high on the list of applications for which updates are most frequently neglected. They have yet to see exploits performing code execution through these vulnerabilities but, nevertheless, users are advised to refrain “from opening files from untrusted third parties or accessing untrusted remote sites (or disable the VLC browser plugins), until the patch is applied.” ![]() ASLR and DEP help reduce the likelyness of code execution, but may be bypassed,” the VideoLAN team noted. While these issues in themselves are most likely to just crash the player, we can’t exclude that they could be combined to leak user informations or remotely execute code. “If successful, a malicious third party could trigger either a crash of VLC or an arbitratry code execution with the privileges of the target user. The vulnerabilities can be exploited by delivering a specially crafted media files and tricking victims into opening them. Just hit the shortcut keys and see the resulting action instantly. The hotkeys are great for quick video playback actions. You can perform several actions without even moving your mouse or clicking on the menu buttons. But we have thought it would also be convenient to report these bugs, allowing VLC team to fix them.” Guides VLC Media player shortcuts are great for saving you some time. “Three other less criticals bugs, such as div-by-zero, have also been reported, even though they don’t allow code execution. Effectively allowing an attacker to take control of the computer,” the Semmle security research team explained. They could each potentially be used by an attacker to execute code on the victim machine through a specially crafted file. “The most critical issues fixed are use-after-free and OOB write vulnerabilities. Allows audio passthrough for HD audio codecs. VLC supports 360 video and 3D audio, up to Ambisonics 3rd order. VLC 3.0 activates hardware decoding by default, to get 4K and 8K playback It supports 10bits and HDR. VLC 3.0.8 plugged 15 vulnerabilities found in its various demuxers and decoders.Įleven flaws were discovered by Semmle researcher Antonio Morales Maldonado. VLC 3.0 'Vetinari' is a new major update of VLC. The VLC bug bounty program has been concluded last week, but others sponsored by the European Commission are still open. It is currently maintained by the VideoLAN non-profit organization, which took advantage of a bug bounty program set up and sponsored by EU’s Free and Open Source Software Audit (FOSSA 2) project. ![]() It’s free and open-source and is available for Windows, macOS, Linux, Android, Chrome OS, iOS, Apple TV, and Windows Phone. VLC is an extremely popular piece of software that started as an academic project. VLC, the popular cross-platform media player, has reached version 3.0.8, which fixes over a dozen security vulnerabilities, some of which could be exploited by attackers to achieve code execution on victims’ machines.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |